[SECURITY] The Durable Password Strategy
- This guide aims to put the basics of an online password strategy. In fact, compromised passwords comes from hundred of potential sources you use, or tend to forget.
- This guide is the first part of multiple learning resources coming soon.
Have a good strategy, step by step 🔐
From Zero to Hero, here’s a breakdown on how to manage passwords, online activity, and be proactive with your digital identity. Passwords are inherently linked to the corresponding email addresses or personal data, so you need to be able to secure both, in order to benefit from a sustainable method. As a user, your options are not infinite, but regaining a form of control by delimiting each tool and centralizing your assets is your best bet.
At glance, a few steps are needed to make a good strategy, here’s a quick breakdown:
- Make a global cleanup of your accounts
- Apply strong passwords everywhere
- Setup MFA everywhere, TOTP at first, and with Yubikeys when needed
- Use temporary emails with your accounts to mitigate leaks and tracking
As you see, passwords should be helped with other mechanisms and technics.
Identify your online activity 👀
The first step is finding where you’re actually vulnerable. It means public leaks, data breaches and all. Your flaws are essentially forgotten accounts that still use some insecure password, and also expose your personal infos (names, age, location…). As you maybe know, having a strong password is not sufficient to preserve data. If your threat model is ambitious, you need to develop counter measures to guaranty the integrity of your data, even more when it comes from an external service without a proper right of inspection.
In fact, this methodology gives you the power of moving things quickly when needed.
First, you can find your leaked passwords or sensitive infos here:
⚠️ It’s not because your account is in private and has a good password that nothing put you at risk. The service can be breached, selling your data or just having bad practices that expose you and make your identity more vulnerable.
Mailbox + Usernames ✉️ 👤
Usernames recon
Need help to recover all your accounts? Find your usernames, potential others for online accounts:
Mailbox recon
A mailbox is a treasure box. Years of archives are stored in it, with precious attachments and private data. Emails are also used as recovery, and even as login options. That’s somehow a problem, but we’ll talk about that later.
Digging on an old mailbox is very time-consuming. It can take weeks to months, and you should start by first searching on your mailbox with keywords such as “account”, “sign-in”, “welcome”… As the majority of people don’t delete emails, chances to find hidden gems are high, and the more you look for forgotten accounts, the more you’ll be aware of your digital footprint.
Take note of those accounts, if you want to delete some of them, it’s a good thing. But be aware that some services will continue to send you newsletters, and some can just “ignore” your deletion request. If needed, this website gives you instructions for deletion requests:
⚠️ Account deletion often means the user data will still be inside their server, some services require a special request to fully delete ALL of your data.
Short tip 👍
On your password manager, add a folder called “dead accounts”, where you store newly deleted accounts, with the date and/or time as a note. With this method, you can make sure your account is properly deleted, so you’ll remember it.
Password manager 🧑🏼💼
A password manager (PM) is sometimes cold, sometimes hot. He knows things you need, and can be considered the same as a personal bank vault (but here the banker has no access whatsoever to the inside). PM are sometimes accused of bringing a single point of failure, but they are still very useful and should be adopted for most of us. What makes a good password manager ? One concept: Zero knowledge encryption You should be the only one to have access to your master password, and so your vault.
That’s where online PM makes some trouble.
Problem with online managers 🌐
Most online PM (bitwarden, lastpass…) offers an account recovery by email (and/or MFA, but not the point here). The recovery option means you introduce a middle man, your email provider. Ok, it helps to use as two factor, and so brings a form of security that your cold PM hasn’t. If using online PM, use MFA on a separated device, not the email option…
But it also means you have another vulnerable asset, your mailbox, which can leads to a vault takeover for some reasons. The funny thing is your email password probably being on your vault,
You can mitigate that by using a specific mailbox to use as MFA verification, preferably Zero Knowledge too.
⚠️ You are still vulnerable to phishing
Also, extensions or apps can be dangerous. In general, your passwords are safe with the majority of online providers, just remember you trust a 3rd party with your vault, compared to cold ones that stays locally (and can be moved easily).
What to store in it 🗄️
Credit card option ? Trust the PM…
Again, unless the PM is open-source, you have no way (or the community) to verify if the info is safe.
And again, it’s called a password manager because it’s made for passwords. Your credit card numbers can be stored in it, but as a precaution, store your credit data in another vault.
General rule, don’t put all your eggs in the same basket (MFA can be used with another app, on another device etc.).
New gen managers ⚡
Features such as darkweb monitoring or breach alerts are often used as buzz words. These new services (monitoring) are essentially offered by non-open source businesses (lastpass, dashlane…), and they do not prove themselves at the moment.
Moreover, you can do it yourself with the previous sites cited (intelx, haveibeenpwnd…), and even register your emails to be alterted when there’s a potential breach (for free).
You should ask the question why a password manager can be valuated at 6.8 billion…
Reputable choice(s) ✅
- /offline KeepassXC A great lad, is fully open-source and updated.
- /online Bitwarden Also open-source, and less… “marketing oriented” than his conccurents.
Do backups:
- Make a weekly vault backup on a spare drive or online. More tricky with online PMs.
MFA what’s up ? 🔑
Passwords without MFA are vulnerable. Your vault can be too.
Here, the method use a smartphone for MFA:
Device separation is essential. Here, I assume that your laptop/pc is the main part of your infrastructure (the one you use the most). You can use your device encryption, fingerprint and another password to make it a bit more secure, while your laptop drive isn’t encrypted or using MFA while but also others that are independent from the internet. In short, using TOTP can be isolated by requiring multiple forms of authentication, different from your laptop.
If you use an offline password manager, you need to do manual backups (on cloud), or separate two vaults, one for your pc and main activities, and the other for anything related to your phone. Obviously, it can be adapted as you wish.
⚠️ You don’t need an internet connection to use TOTP! The “secret” is exchanged during the setup part, so it’s easy to disable wifi for your MFA app, and reduce a potential exfiltration risk
It is highly advised to add a proper password on your MFA app to profit of vault encryption.
TOTP
Aegis is offline, the master password can be stored on the PM vault, and you can add fingerprint as another security layer. For TOTP, it’s easy to first backup recovery codes (you can store them into the “note” tab). On the MFA app, vault backup is also essential. You can do it manualy with a spare USB drive.
Yubikeys 🔑
At first, Yubikeys can be use for specific services, the ones you consider being critical (and which accept this method), and more they become usual, the more you’ll be adapted to their method, not
Yubikeys essentially don’t rely on a server to exchange, it’s the “something you have” thanks to hardware authentication, and it’s a must have as a MFA solution.
Yubis are compatible with multiple protocols,
This should be the next step after TOTP, but feel free to experiment first.
Conclusion
By managing a central authority (PM + backup), with correct MFA setup (TOTP on another device + recovery codes backed), as well as temporary emails for each service you use, you are way more aware of your digital footprint, and knows what exactly you have and are.
Finally, don’t overkill your setup. Putting your vault file on an encrypted drive will be too much (and not useful if they both have the same master password), but your threat model can differ.